3

I have an angular application that's authenticating users using OpenID, in which I have access to the access_token that should be used to authenticate against other services.

I'm currently using the Authetication Code flow of OAuth/OpenID

I am trying to use that access_token to authenticate users on a .NET Core Web API. Whatever combination of settings I make here doesn't seem to get me any closer to the solution.

Startup.cs

 services.AddAuthentication(options =>
 {
     options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
     options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
     options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
 })
 .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
 .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
 {
     options.Authority = oauthOptions.Authority;
     options.ClientId = oauthOptions.ClientId;
     options.ClientSecret = oauthOptions.ClientSecret;

     options.ResponseType = OpenIdConnectResponseType.Code;
     options.UsePkce = true;
     options.GetClaimsFromUserInfoEndpoint = true;
     options.SaveTokens = true;

     oauthOptions.Scopes.ForEach(scope => options.Scope.Add(scope));
 });

I appreciate any guidance/link on this.

Improve this question

1 Answer 1

Reset to default
5

In this case what you most likely need is JWT Bearer Authentication or a Token Introspection library which validates the access token against the Identity Provider.

For JWT, This is provided via the Microsoft.AspNetCore.Authentication.JwtBearer NuGet package and can be used like this:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = "https://url.to.your/identity-provider";
        options.Audience = /* your expected audience - e.g. guid or resource */;
    });

This way you can get and update JWT Bearer access tokens in your SPA application and send authenticated requests to the API backend (using Authorization: Bearer ... headers).

If your identity provider uses reference tokens (i.e., they don't contain the authentication information but instead need to be used to get the authentication information from the identity provider), you will need to use token introspection. This is - for example - provided by third party libraries like IdentityModel.AspNetCore.OAuth2Introspection

Example for using IdentityModel.AspNetCore.OAuth2Introspection:

services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
    .AddOAuth2Introspection(options =>
    {
        options.Authority = "https://url.to.your/identity-provider";
        // Introspection requires client credentials to authenticate the requests
        options.ClientId = "client_id_for_introspection_endpoint";
        options.ClientSecret = "client_secret_for_introspection_endpoint";
    });
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hey Martin.. many thanks for the help. I have actually tried something similar, but what bothers me in this case is that the token I have doesn't seem to be a valid JWT (pastebin.com/b19CkxjR) .. hence, I get the Unauthorized response code.. Would you know what I could be missing?
If it's not a JWT token, you need to use token introspection - for this there is no in-box solution but community libraries (like github.com/IdentityModel/…). please update the question accordingly if that is the case
Also I cannot access the past but suggest you check by pasting your access_token into jwt.io to find out if it is a valid JWT
You're a life saver! The library you recommended worked like a charm.. please post it on a separate comment so I can mark it as the final solution.
Updated the answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.